Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2025-66131: Missing Authorization in yaadsarig Yaad Sarig Payment Gateway For WC

0
Critical
VulnerabilityCVE-2025-66131cvecve-2025-66131
Published: Tue Dec 16 2025 (12/16/2025, 08:12:54 UTC)
Source: CVE Database V5
Vendor/Project: yaadsarig
Product: Yaad Sarig Payment Gateway For WC

Description

Missing Authorization vulnerability in yaadsarig Yaad Sarig Payment Gateway For WC yaad-sarig-payment-gateway-for-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yaad Sarig Payment Gateway For WC: from n/a through <= 2.2.10.

AI-Powered Analysis

AILast updated: 02/05/2026, 08:11:18 UTC

Technical Analysis

CVE-2025-66131 is a critical security vulnerability identified in the Yaad Sarig Payment Gateway plugin for WooCommerce (WC), affecting versions up to and including 2.2.10. The core issue is a missing authorization control that allows unauthenticated attackers to bypass access restrictions and perform unauthorized actions within the payment gateway. This vulnerability stems from incorrectly configured access control security levels, which fail to properly verify the identity or permissions of the requester before granting access to sensitive functions or data. The vulnerability has a CVSS v3.1 base score of 9.1, reflecting its critical nature, with an attack vector over the network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), and impacts on confidentiality and integrity (C:H/I:H) but not availability (A:N). Exploitation could lead to unauthorized access to payment processing functions, exposure of sensitive payment data, or manipulation of transaction details, potentially resulting in financial fraud or data breaches. Although no known exploits have been reported in the wild yet, the ease of exploitation and the critical impact make this a high-risk vulnerability. The plugin is used primarily in WooCommerce-based e-commerce sites, which are widely adopted across Europe, especially in countries with mature online retail sectors. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps. The vulnerability was reserved in late November 2025 and published in mid-December 2025, indicating recent discovery and disclosure.

Potential Impact

For European organizations, especially e-commerce businesses using WooCommerce with the Yaad Sarig Payment Gateway, this vulnerability poses a significant risk. Exploitation can lead to unauthorized access to payment processing functions, resulting in potential financial fraud, theft of sensitive customer payment information, and loss of customer trust. The confidentiality and integrity of payment transactions can be compromised, leading to regulatory compliance issues under GDPR and financial regulations. The absence of required authentication lowers the barrier for attackers, increasing the likelihood of exploitation. This can disrupt business operations, cause reputational damage, and incur financial penalties. Given the widespread use of WooCommerce in Europe, particularly in countries with large e-commerce markets, the threat could affect a broad range of retailers, from small businesses to large enterprises. The lack of availability impact means service disruption is less likely, but data and transactional integrity risks remain critical.

Mitigation Recommendations

Organizations should immediately audit their WooCommerce installations to determine if the Yaad Sarig Payment Gateway plugin is in use and verify the version. Until an official patch is released, consider disabling the plugin or replacing it with an alternative payment gateway that has verified security controls. Implement strict network-level access controls to restrict access to the payment gateway endpoints, such as IP whitelisting or VPN requirements. Monitor logs for unusual or unauthorized access attempts targeting the payment gateway. Conduct a thorough review of access control configurations within the WooCommerce environment to ensure no other plugins or components have similar authorization weaknesses. Engage with the plugin vendor or security community to obtain updates on patch availability and apply them promptly once released. Additionally, implement multi-factor authentication for administrative access to the e-commerce platform to reduce the risk of privilege escalation. Finally, educate staff and customers about potential phishing or social engineering attacks that could leverage this vulnerability.

Need more detailed analysis?Upgrade to Pro Console

Technical Details

Data Version
5.2
Assigner Short Name
Patchstack
Date Reserved
2025-11-21T11:21:32.202Z
Cvss Version
null
State
PUBLISHED

Threat ID: 69411750594e45819d70c756

Added to database: 12/16/2025, 8:24:48 AM

Last enriched: 2/5/2026, 8:11:18 AM

Last updated: 2/7/2026, 12:36:01 PM

Views: 44

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats